Vishing: A New Kind of Voice Phishing
You might be familiar with the term online “phishing” scam, which is designed to steal sensitive data and even money from unsuspecting web users. But now, criminals are using another type of fraud tactic called “vishing” to carry out their scams over the telephone.
What exactly is “vishing”?
Vishing (voice or VoIP phishing) is a telephone scam that uses seemingly legitimate caller ID descriptions and telephone numbers to convince individuals to disclose important personal data and financial information. Oftentimes, the callers will prey on a person's fear or financial stability to gain the information they need.Vishing acts just like email spoofing, where the email addresses look like they come from a trusted source. And because people usually trust the caller ID and the phone service, spoofing phone numbers can be used to trick the target by making it seem like the call is actually coming from a legitimate source.
What type of attacks should I be aware of?
Scammers can use a number of different techniques to acquire sensitive information or make calls at your expense. Some of the typical types of vishing include:
Hosted scam. Attackers will target the hosted service provider and attempt to break into the network by taking advantage of default passwords or minimal security measures.
Whitelist scam. Attackers gain access to your account and place their IP on your whitelist, thereby allowing them to make calls on your expense.
Registration scam. Attackers complete packet based authentication before being able to place calls.
The problem with these kinds of scams is that they are difficult to trace and so it can be very tough, even impossible, to catch the scammers. For example, in the case of the Milwaukee scam, residents suspect that the scammer is actually located in a different country. According to Lisa Schiller, the reporter who published the original article, the scammer even mispronounced the word “Milwaukee” when she called him to fact-check the article.
How do I protect myself from these types of attacks?
Vishing attacks are becoming very sophisticated, making legitimate calls and attempts at theft difficult to differentiate. But these are a few things that you need to keep in mind in order to protect yourself from these types of attacks:
- Educate yourself on the latest scams,
- Document suspicious calls and report them,
- Block calls from international numbers,
- Don't trust the caller ID, and
- Change default passwords and login information on all devices.
Aside from these tips, you also need to be vigilant in order to keep your personal information protected at all times. Plus, you should follow these do’s and don’ts to avoid falling prey to vishing scams:
- Don’t call phone numbers that are found in unsolicited emails or in websites that were sent as a link in an unsolicited email.
- Do validate the phone number by searching online and checking if the number is coming from a legitimate source. If the call is coming from a bank, you can validate the number by visiting their official website.
- Don’t give your account numbers, passwords, credit card details, PINs, and other confidential information over the phone unless the call is initiated by you or coming from a number you’re certain is valid. Remember, in most cases, callers will leave you a message if it is a real call from an important contact.
- Donʼt assume that a call is always well-intentioned. So when you are in doubt, you can hang up the phone, contact the company, and then ask them about the message.
- Do keep in mind that many scammers won’t use a local phone number. Some of them will use a blocked number, which is virtually impossible to trace. So, your best bet is to always pause before receiving a call from an unrecognized number or blocked number.
- Do answer the phone, but always be careful before agreeing to any transactions. If you don’t recognize the name of the organization calling you, you have every right to ask for clarification.
- Don’t allow yourself to be overwhelmed. Even if you don’t recognize a caller to whom you do actually owe money, it won’t hurt anything to double-check and ask for clarification.
What can VoIP service providers can do to stop vishing attacks?
In CNET’s blog post, Lance James, the Chief Scientist at Secure Science Corp, mentioned that the biggest vulnerabilities in the communications network happen when older technologies meet new technologies. Because of this, James believes that a joint effort by the VoIP service provider and the traditional phone company can stop the attacks and curb vishing in the process. Both the VoIP provider and the traditional phone company should verify and authenticate all calls in order to ensure that the callers are who they say they are. In this way, they can hamper VoIP fraud done by spoofing caller ID numbers.
But can you track a VoIP number?
It may be possible to trace the phone number to a particular IP address through some clever calling around to figure out what Internet service the number is using, and from there they can figure out the physical location of the caller. And though slim, it also may be possible to figure out which VoIP service provider the scammer is using. By doing so, the service provider may be able to find out who bought that phone number; but this may be a nearly impossible task, especially if the scammer is located in a different country, as seems to be the case with this scammer.
VoIP phones make communications easy, convenient, and inexpensive. But just like any other devices, these innovative communication solutions can be targeted by hackers for the purposes of theft, fraud, and other crimes. Although VoIP fraud can happen at any time, there are precautions that you can take to protect your personal and financial information from cybercriminals. By following security best practices, monitoring your VoIP outbound calls, and coordinating with your VoIP service provider, you can protect yourself from falling prey to this type of voice phishing.